我的 ASP.NET v3.5 Web 应用程序在尝试打开与 SQL Server 2008 数据库的连接时抛出以下异常:
System.Data.SqlClient.SqlException:
无法打开数据库“MyDbName”
由登录请求。 登录
失败的。 用户“NT”登录失败
权威机构\IUSR'。
问题是,我已将 NT AUTHORITY\IUSR 添加到服务器的登录列表和数据库的用户列表中。 对于服务器,我已授予用户 Public 角色,对于数据库,我已授予 db_datareader 权限。
我还为 NT AUTHORITY\NETWORK SERVICE 授予了相同的权限,这是应用程序池运行时使用的标识。
Web 应用程序由 IIS7 托管(如果这有影响的话)。 当DB和IIS也在同一台物理机上时,问题会重现。
My ASP.NET v3.5 web application is throwing the following exception when it attempts to open a connection to a SQL Server 2008 database:
System.Data.SqlClient.SqlException:
Cannot open database "MyDbName"
requested by the login. The login
failed. Login failed for user 'NT
AUTHORITY\IUSR'.
The thing is, I've added NT AUTHORITY\IUSR to the server's list of logins, and to the database's list of users. For the server, I've granted the user the Public role, and for the database I've granted db_datareader permissions.
I've also granted the same for NT AUTHORITY\NETWORK SERVICE, which is the identity that the application pool is running under.
The web application is hosted by IIS7, if that makes a difference. The problem repros when the DB and IIS are on the same physical machine as well.
发布评论
评论(9)
这里的技巧是,
NT AUTHORITY\NETWORK SERVICE实际上在数据库中显示为DOMAINNAME\MACHINENAME$(注意$符号!)。 也就是说,当您跨越计算机边界从 Web 服务器到达 SQL Server 时,如果您使用 NETWORK SERVICE 或 LOCAL SYSTEM 帐户,则 SQL Server 会看到计算机帐户。 如果您使用任何其他非域帐户,SQL Server 将不会收到您的凭据。我对你的错误消息有点困惑。 说实话,我认为当数据库位于另一个机器上时,除了
Login Failed for NT AUTHORITY\ANONYMOUS LOGON之外,您不会看到任何其他内容。IUSR用于匿名网站,无法通过网络传递到 SQL Server。 如果你在同一台机器上做所有事情,你可能会找到一种方法让它工作,但我永远不知道,因为我永远不会那样做......;-)The trick here is that
NT AUTHORITY\NETWORK SERVICEactually appears to the database asDOMAINNAME\MACHINENAME$(note the$sign!). That is, when you cross the machine boundary from your web server to the SQL Server, SQL Server sees the machine account if you use theNETWORK SERVICEorLOCAL SYSTEMaccounts. If you use any other non-domain account, SQL Server will not receive your credentials.I'm a bit puzzled by your error message. Truth be told, I don't think that when the DB is on another box, you'll see anything other than
Login Failed for NT AUTHORITY\ANONYMOUS LOGON.IUSRis used for anonymous websites, and can't pass over the wire to SQL Server. You may find a way for it to work if you're doing everything on the same machine, but I'd never know because I'd never do it that way... ;-)需要注意的是,如果您没有将 IIS 配置为允许模拟,但您的 web.config 确实尝试进行模拟,那么您将收到此错误,正如我刚才所做的那样。
我刚刚遇到了这个确切的错误,需要执行以下所有步骤:
确保 IIS Web 服务器上启用了 ASP.NET 模拟:
将其与配置您的网站以使用模拟 (web.config) 相结合:
上述步骤假定您在 MSSQL 上为“your_service_acct”设置了具有权限的 SQL 登录
当在本地主机上运行时,针对 localdb,甚至是您个人拥有权限的远程数据库,开发 IIS 会像您一样运行- 一切都神奇地发挥作用。 因此,在调试模式下,您不需要创建特殊的 web.config..
一旦您将站点部署到某种服务器(在我的例子中,我们的测试环境)上,您可能需要完成以下操作我只是详细说明了上述步骤,因为 IIS 会尝试以应用程序池用户的身份进行连接,从管理角度来说,这通常不是您想要的。 因此,这就是您想要开始使用 web.config 转换,因此 Visual Studio 将在“发布...”部署步骤期间插入适当的
identity impersonate="true"。It's important to note that you'll get this error, as I just did, if you don't have IIS configured to allow impersonation, but you do have your web.config attempting to do impersonation.
I just came across this exact error, and all of the following steps are required:
Ensure ASP.NET impersonation is enabled on your IIS web server:
Combine that with configuring your site to use impersonation (web.config):
The above steps presume that you have a SQL Login setup on your MSSQL for 'your_service_acct' with permissions
When running on localhost, against a localdb, or even a remote db that you personally have permissions on, the development IIS runs as if it were YOU - and everything just magically works. So, in debug mode, you don't need to create a special web.config..
As soon as you deploy your site onto some kind of server (in my case, our TEST environment) you'll likely need to have done the above steps I just detailed, because IIS will try to connect as the application pool user, which is not usually what you want administratively speaking. So, that's when you want to start using web.config transformations, so Visual Studio will insert the appropriate
identity impersonate="true"during your 'Publish...' deployment step.如果它对某人有帮助,在 web.config 中,我添加了
< system.web>)In case it helps someone, in web.config I added
<identity impersonate="false" />for this error to go away (under<system.web>)这对我有用:
打开 IIS 管理器 (inetmgr)
在“连接”面板中,深入到站点的节点并选择它
在右侧面板的“IIS”组下,双击“身份验证”图标。
右键单击“匿名身份验证”,然后从上下文菜单中选择“编辑...”。
在弹出的对话框中,选择“应用程序池标识”单选按钮。
单击“确定”。
this worked for me:
Open the IIS Manager (inetmgr)
In the "Connections" panel, drill down to your site's node and select it
In the right-hand panel, under the "IIS" group, double click the "Authentication" icon.
Right-click on "Anonymous Authentication" and choose "Edit..." from the context menu.
In the popup dialog, select the "Application pool identity" radio button.
Click OK.
无需在连接字符串中使用
Integrated Security=True;,只需使用用户名和密码身份验证user=sa; pwd=我的密码;Instead of using
Integrated Security=True;in connection string, just use username and password authenticationuser=sa; pwd=mypassword;简单的解决方案是检查您的 web.config 文件并确保其中之一是数据库连接字符串的一部分:
Trusted Connection=false
或
Integrated Security=True
The simple solution is to check your web.config file and make sure one of these is part of the db connection string:
Trusted Connection=false
OR
Integrated Security=True
当您在上一个数据库上恢复新数据库时,会出现此问题。
要解决此问题,您必须转到 sqlserver,然后转到安全性,然后再次设置您的应用程序池。
This problem is shown when you restore a new database on your last database.
To resolve this you must go to sqlserver, then security and then set your apppool again.
我建议创建一个单独的(最好是域)帐户并在连接字符串中指定它(通常在 web.config 中)
然后,您可以限制 Web 服务器上该帐户可以执行和不能执行的操作的权限。
然后您可以在 SQL Server 中授予该帐户所需的权限。
I would suggest to create a separate (preferably domain) account and specify it in the connection string (usually in web.config)
Then you can limit permissions on the web server what this account can and cannot do.
Then you can grant this account required permissions in SQL server.
我遇到了同样的问题并通过更改应用程序池解决了这个问题。
I had had the same problem and solved this by changing application pool.